"Host_IDS_File_Tampering" IDS policy triggers filewatch event when C:\windows\temp folder altered is NOT configured to be monitored.
Monitoring %systemroot%\*.exe or %systemroot%\*.dll (as defined in the default "Host_IDS_File_Tampering" policy) will trigger events for c:\windows\temp\*.exe or c:\windows\temp\*.dll due to wildcard match.
SCSP is behaving as designed but the design can be improved.
The issue is planned to be addressed in the next major release of SCSP which can be some time away.
A workaround is to add %SystemRoot%\Temp to the "Ignore Files" option setting in the policy.
From testing, this issue is not specific to a particular version of Symantec Critical System Protection (SCSP).
Imported Document Id
This is machine translated content
Login to Subscribe
Please login to set up your subscription.
Didn't find the article you were looking for? Try these resources.